Data processing agreement (DPA)
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) supplements the Master Services Agreement (the “Agreement”) entered into by and between (i) the customer entity that is a party to the Agreement (“Customer”) and (ii) Aerospike, Inc. (collectively, “Aerospike” or “Company”) (thereinafter, the “Parties”). This DPA incorporates the terms of the Agreement, and any terms not defined in this DPA shall have the meaning set forth in the Agreement. Aerospike may modify the terms of this DPA from time to time. If there is any inconsistency between the terms of this DPA and the Agreement or any other agreement between the Parties relating to the subject matter of this DPA, the terms of this DPA shall prevail.
DEFINITIONS
Adequacy Decision means a European Commission decision determining that a transfer of Personal Data to a specific third country, territory or one or more specified sectors within that third country is secured by an adequate data protection regime in place. As of the effective date of this DPA, the following countries have received an Adequacy Decision from the European Union: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, Uruguay, the United States (commercial organizations participating in the EU-US Data Privacy Framework) and the United Kingdom (UK).
“Company Account Data” means Personal Data that relates to Company’s relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has provided and associated with its account. Company Account Data also includes any data Company may need to collect for the purpose of managing its relationship with Customer, providing maintenance and support, identity verification, or as otherwise required by applicable laws and regulations.
“Company Usage Data” means service usage data collected and Processed by Company in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.
“Customer Data” means any Personal Data processed by Company on behalf of Customer in the course of providing Services or otherwise performing its obligations under the Agreement.
“Data Privacy Legislation” means data protection or privacy laws, regulations, or regulatory requirements, guidance and codes of practice to the extent applicable to the Processing of Personal Data in connection with this DPA, including, without limitation, the California Consumer Privacy Act and the European General Data Protection Regulation and / or UK General Data Protection Regulation as well as the UK Data Protection Act 2018 (together referred to as “GDPR”), each as amended and supplemented, as the case may be, by the relevant EU Member States laws and regulations in which Customer directly or indirectly operates.
“Data Subject Request” means a request from a Data Subject, Consumer, or authorized third party to exercise rights under applicable Data Privacy Legislation.
“Deidentified Data” means data that cannot reasonably be linked to an identified individual or identifiable individual.
“Personal Data Breach” means the actual unauthorized destruction, loss, alteration, disclosure of, use of, or access to Customer Data transmitted, stored, or otherwise Processed, or any other security incident involving Customer Data.
“Services” means the contracted services that form the basis of the Agreement.
“Personal Data” means (a) any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular consumer or household, (b) any information related to an identified or identifiable natural person; or (c) any information that is defined as “personal data” or “personal information” by applicable Data Privacy Legislation.
“Supervisory Authority” means (i) an independent public authority which is established by a Member State pursuant to Article 51 GDPR (e.g., the Data Protection Commission in Ireland) or (ii) the Information Commissioner’s Office (ICO) in the UK.
Others Terms. The terms “Business,” “Consumer,” “Controller,” “Data Subject,” “Joint Controller,” “Process” (and its cognates), “Processor,” “Sell” (and its cognates), “Service Provider,” and “Share” (and its cognates) have the meanings given to them under relevant Data Privacy Legislation.
ROLES OF THE PARTIES; PROCESSING OF DATA
In relation to the Processing of Customer Data, the Parties acknowledge that Customer shall be acting as a Controller or Business (as appropriate), responsible for determining the purposes for which and the manner in which Customer Data is to be Processed, and Company shall be a Processor or Service Provider (as appropriate) under this DPA.
A description of the Processing, including the categories of Customer Data and the purpose for which Customer Data is Processed, can be found in Schedule I to this DPA.
Each Party must comply with all applicable requirements of Data Privacy Legislation when Processing Customer Data under the Agreement, including providing the same level of privacy protection as required of Customer, as applicable, by the Data Privacy Legislation.
Company shall not knowingly do anything or knowingly permit anything to be done that might lead to a breach by Customer of the Data Privacy Legislation.
Customer shall not provide or make available to Company any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Company from all claims and losses in connection therewith. Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the Processing of Personal Data, in compliance with Data Privacy Legislation.
Company shall:
Only Process the Customer Data in accordance with Customer’s documented instructions and directions, including as set forth in this DPA and the Agreement, unless Company is required to Process Customer Data for other purposes under applicable law to which the Company is subject. Where such a requirement is placed on Company, it shall inform Customer unless prohibited by applicable law;
Inform Customer if, in Company’s opinion, instructions given by Customer infringe Data Privacy Legislation prior to implementing such instructions;
Notify Customer after Company makes a determination that it can no longer meet its obligations under this DPA or Data Privacy Legislation;
Process, use, disclose, or retain Customer Data only for the term of the Agreement or as otherwise specified in Schedule I to this DPA, whichever is earlier, and only for the limited and specified business purposes included in Schedule I to this DPA (the “Business Purposes”);
Not: (a) Sell or Share the Customer Data with any third parties; (b) retain, use, or disclose the Customer Data for any commercial purpose other than the Business Purpose, unless expressly permitted by Data Privacy Legislation; (c) retain, use or disclose the Customer Data outside of Company’s direct business relationship with Customer, including by combining or updating the Customer Data with information Company received from another source or that Company collected from its own interactions with Data Subjects or Consumers, unless expressly permitted by Data Privacy Legislation;
Ensure that all persons who have access to Customer Data are subject to a duty of confidentiality. Customer agrees that Company may disclose Personal Data to its advisers, auditors or other third parties as reasonably required in connection with the performance of its obligations under this DPA, the Agreement, or as required by applicable law;
If Customer receives a request from a Data Subject attempting to exercise his or her rights under Data Privacy Legislation; any legally binding request for disclosure of; and/or request for access to Customer Data by a law enforcement authority unless otherwise prohibited under applicable law, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; or any legally binding request, order or inspection activity by a Supervisory Authority or other competent authority relating to Customer Data or privacy protection, promptly notify Customer. Customer is responsible for responding to Data Subject requests;
Cooperate and provide reasonable assistance to Customer to respond to (i) Data Subject Requests under Data Privacy Legislation; and (ii) any inquiry made, investigation, or assessment of Processing initiated by any governmental authority;
Use reasonable endeavors to assist Customer in its own compliance with Data Privacy Legislation, in connection with this DPA, including assisting Customer with data protection impact assessments, where required under Data Privacy Legislation, and as follows where required by Data Privacy Legislation:
Customer shall use reasonable efforts to assist Customer with its obligations to consult the competent Supervisory Authorities prior to Processing where a data protection impact assessment indicates that the Processing would result in a high risk in the absence of measures taken by Company to mitigate the risk. Customer shall be responsible for any costs and expenses arising from any such assistance by Company.
Allow Customer to, upon notice, take reasonable and appropriate steps to stop and remediate Company’s unauthorized use of Customer Data;
Upon termination of its provision of Services, delete in a secure manner or return all Customer Data to Customer and delete any existing copies of the Customer Data, unless retention is required by applicable law or permitted by applicable law. If return or destruction is impossible or prohibited by law, rule or regulation, Company shall take measures to block such Personal Data from any further Processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control; and
Take reasonable measures to ensure that any Deidentified Data Company receives from Customer cannot be associated with a Data Subject or Consumer, publicly commit to maintain and use the Deidentified Data only in deidentified form and not attempt to reidentify the data, not attempt to reidentify any Deidentified Data, except for the purpose of determining whether the deidentification process satisfies applicable Data Privacy Legislation, and contractually obligates recipients of the Deidentified Data to meet these same requirements.
INFORMATION AND AUDITS
Upon Customer’s reasonable request at reasonable intervals, and subject to reasonable confidentiality controls, Company shall either:
Make available to Customer information necessary to demonstrate compliance with this DPA, including copies of certifications or reports demonstrating such compliance; or
Where permitted by applicable Data Privacy Legislation and where the provisions of reports or certifications is not sufficient under applicable Data Privacy Legislation, Company may arrange for a qualified and independent assessor to conduct an assessment of Company’s policies and physical, technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Company shall provide a report of such assessment to Customer upon reasonable request. Such assessment shall only be performed during business hours and occur no more than once per calendar year; and such audit shall be restricted to Customer Data. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Company for any time expended for on-site audits.
Should the assessment show a breach of this DPA or Data Privacy Legislation, including, but not limited to, security or confidentiality requirements, Customer may require Company to immediately remedy this breach.
Where required by Data Privacy Legislation, the Parties shall make the information referred to in this Section 5, including the results of any assessments, available to the competent Supervisory Authority upon request of the Supervisory Authority.
Where required by Data Privacy Legislation, Company agrees to cooperate in good faith with the Supervisory Authority.
USE OF SUB-PROCESSORS
Customer consents to the engagement of the authorized sub-Processors listed in Schedule I.
Customer shall not engage any sub-Processors to Process Customer Data without a prior notice to and opportunity to object for Customer. If Customer reasonably objects, Customer must do so within ten (10) days of being informed of such new sub-Processor and the Parties shall work together in good faith to agree on a reasonable solution, which may include termination of this DPA without penalty. If Customer does not object to the engagement of a new sub-Processor in accordance with Section 4.2 within ten (10) days of notice by Company, that third party will be deemed an authorized Sub-Processor for the purposes of this DPA.
Subject to the consent requirements above, Company may not engage any sub-Processor to Process Customer Data unless: (a) the sub-Processor is subject to a written agreement which imposes on the sub-Processor obligations that are compliant with Data Privacy Legislation and are no less protective than the terms set out in this DPA. At Customer’s reasonable request, Company shall provide a copy of the sub-Processor agreement and any subsequent amendments to Customer. To the extent necessary to protect business secret or other confidential information, including Personal Data, Company may redact the text of the agreement prior to sharing the copy.
Where required by Data Privacy Legislation, Company shall include a third party beneficiary clause with the sub-Processor whereby — in the event Company has factually disappeared, ceased to exist in law or has become insolvent — Customer shall have the right to terminate the sub-Processor contract and to instruct the sub-processor to erase or return the Customer Data.
For the avoidance of doubt, if Company engages a sub-Processor, Company remains liable to Customer for the performance of the sub-Processor’s obligations under Data Privacy Legislation. Company shall notify Customer of any material failure by the sub-Processor to fulfill its contractual obligations.
SECURITY
Company shall implement appropriate technical, physical, and organizational measures, to protect Customer Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access in accordance with Data Privacy Legislation. In assessing the appropriate level of security, the Parties shall take into account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the Data Subjects.
The technical, physical, and organizational measures are documented in Schedule IV.
Company shall, without undue delay following its becoming aware of a Personal Data Breach, notify Customer of such Personal Data Breach and take such steps as Company in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Company’s reasonable control). As part of that notification, Company shall provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its notification obligations under applicable Data Privacy Legislation.
The obligations described in Sections 5.3 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Customer. Company’s obligation to report or respond to a Personal Data Breach under Sections 5.3 will not be construed as an acknowledgement by Company of any fault or liability with respect to the Personal Data Breach.
COMPANY’S ROLE AS A CONTROLLER
The Parties acknowledge and agree that with respect to Company Account Data and Company Usage Data, Company is an independent Controller, not a Joint Controller with Customer. Company will process Company Account Data and Company Usage Data as a Controller (i) to manage the relationship with Customer; (ii) to carry out Company’s core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services, and to prevent harm to Customer; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which Company is subject; and (vi) as otherwise permitted under Data Privacy Legislation and in accordance with this DPA and the Agreement. Company may also Process Company Usage Data as a Controller to provide, optimize, and maintain the Services, to the extent permitted by Data Protection Laws. Any Processing by the Company as a Controller shall be in accordance with the Company’s privacy policy set forth at aerospike.com/forms/privacy-policy.
INTERNATIONAL DATA TRANSFERS
The Parties agree that, to the extent any Customer Data is subject to the GDPR:
Any transfer of Customer Data from Customer to a country outside the European Economic Area and/or the UK without an Adequacy Decision shall be subject to the terms of Schedules II and/or III, as appropriate. For purposes of such Schedule II and/or III, Customer is the data exporter and Company is the data importer. If any of the provisions of Schedule II and/or III are inconsistent with or in conflict with any of the provisions of this DPA then, to the extent of any such inconsistency or conflict, the provisions of Schedule II and/or III shall prevail.
Company shall not transfer Customer Data outside the European Economic Area and/or the UK without: (i) obtaining Customer’s prior written consent and (ii) taking such measures as Customer may reasonably request to ensure that such transfer complies with Data Privacy Legislation, which includes, at Customer’s request, entering into (or procuring that such other persons as Company may reasonably specify enter into) appropriate contractual safeguards to protect such further sharing or transfer.
CERTIFICATION AND VIOLATION RIGHTS
In the event that Company is in breach of its obligations under this DPA, Customer may instruct Company to suspend the Processing of Customer Data until the latter complies with this DPA or the Agreement is terminated.
Customer shall be entitled to terminate the Agreement insofar as it concerns Processing of Customer Data in accordance with this DPA if:
The Processing of Customer Data by Company has been suspended by Customer pursuant to Section 8.1 and if compliance with this DPA is not restored within a reasonable time and in any event within one month following suspension;
Company is in substantial or persistent breach of this DPA or its obligations under Data Privacy Legislation; or
Company fails to comply with a binding decision of a competent court or the competent Supervisory Authorities regarding its obligations pursuant to this DPA or Data Privacy Legislation.
Where required by Data Privacy Legislation, Company shall be entitled to terminate the Agreement insofar as it concerns Processing of Customer Data under this DPA where, after having informed Customer that its instructions infringe applicable legal requirements, Customer insists on compliance with the instructions.
SEVERANCE
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
GOVERNING LAW AND JURISDICTION
The Parties submit to the choice of jurisdiction and governing law stipulated in the Agreement with respect to any disputes or claims arising under this DPA, including disputes regarding its existence, validity, termination or the consequences of its nullity.
Schedule I: Description of Processing
Description | |
Data Subjects Whose Personal Data is Processed | The categories of Data Subject to which Customer’s Personal Data will relate are determined and controlled by the Customer in its sole discretion and may include, but are not limited to, Customer end-users and customers and Customer personnel. |
Personal Data Processed | Company processes Personal Data contained in Company Account Data, Company Usage Data, and any Personal Data provided by Customer (including any Personal Data Customer collects from its end users and processes through its use of the Services) or collected by Company in order to provide the Services or as otherwise set forth in the Agreement or this DPA. Categories of Personal Data are determined and controlled by the Customer in its sole discretion and may include, but are not limited to, name, location, email address, phone number, address, occupation, and title. |
Sensitive Data Processed/Transferred and Related Security Measures | None. |
Nature of the Processing | Company will process Customer’s Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Customer’s instructions as set forth in this DPA. The nature of Processing includes, without limitation: Receiving data, including collection, accessing, retrieval, recording, and data entry Holding data, including storage, organization and structuring Using data, including analysis, consultation, testing, automated decision making and profiling Updating data, including correcting, adaptation, alteration, alignment and combination Protecting data, including restricting, encrypting, and security testing Sharing data, including disclosure, dissemination, allowing access or otherwise making available Returning data to the data exporter or data subject upon request Erasing data, including destruction and deletion |
Purpose of Processing (Business Purposes) | See “Nature of the Processing.” |
Frequency of Transfers (international transfers only) | As necessary to provide perform all obligations and rights with respect to Personal Data as provided in the Agreement or DPA. |
Duration of Processing | Company will Process Customer’s Personal Data as long as required (i) to provide the Services to Customer under the Agreement; (ii) for Company’s legitimate business needs; or (iii) by applicable law or regulation. Company Account Data and Company Usage Data will be Processed and stored as set forth in Company’s privacy policy. |
Retention Period | Customer Data will be retained by the Company for the period required to provide the Service and shall delete or return all Customer Data within [30 days] of the termination of the Agreement and/ or any request of the Company |
List of Sub-Processors |
Name of Authorized Sub-Processor | Address | Description of processing | Country in which sub-processing will take place |
Amazon Web Services (AWS), Inc. | Seattle, WA | Cloud provider Aerospike Cloud is run on AWS infrastructure; customer data is hosted in AWS regions | USA, UK, Singapore |
Datadog, Inc. | New York, NY | Observability and monitoring Collects and analyzes logs, metrics, and traces from Aerospike services for monitoring and incident response | USA |
Auth0 (by Okta) | Bellevue, WA | Identity and authentication Identity and authentication services | USA |
Google Inc. | Email Support | Email and document repository Email support, and document repository | |
PagerDuty | San Francisco, CA | Alert Management On-call and alert management for production incidents and service reliability | USA |
SendGrid/Twilio | Denver, CO | Email service provider (outbound) | USA |
Salesforce, Inc. | San Francisco, CA | Support services |
Schedule II: EU SCCs
This Schedule II applies to the Processing of Personal Data, where Customer is subject to the GDPR (excluding the UK General Data Protection Regulation).
Incorporation of SCCs. Module 2 of the Standard Contractual Clauses for the transfer of Personal Data (“SCCs”, available as of the Effective Date of this DPA at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) are hereby incorporated by reference into this DPA and shall apply to the transfer of Personal Data as described in this Schedule II to the extent required by the GDPR.
Existence of adequacy decision. To avoid doubt, the SCCs shall not apply to the extent that the international transfer is permitted as a result of an Adequacy Decision.
Modifications to modules. The following elections are made in relation to the SCCs:
Clause 7 (docking clause) — not selected.
Clause 9 (use of sub-processors) — Option 2 is selected and the time period shall be 30 days.
Clause 11 (redress) — optional wording is not included.
Clause 17 (governing law) — Option 2 is selected and the applicable governing law shall be the laws of the EU Member State where the data exporter is located.
Clause 18 (choice of forum and jurisdiction) — The applicable governing law shall be the laws of the EU Member State where the data exporter is located.
Details of data processing. The details required by the annexes to the SCCs shall be as follows:
Details of data importer and exporter
Entity name | Role | Contact details | Relevant activities |
Customer | Data exporter | Customer’s contact details given in the Agreement | Entity will export Personal Data to the data importer for the purposes described in Schedule I of this DPA. |
Company | Data importer | Aerospike, Inc. Address: 2440 West El Camino Real Suite 700 Mountain View, CA 94040 Official Registration Number: Delaware: #4731217 Contact person: Amy Lee, CFO legal@aerospike.com | Entity will import Personal Data from the data exporter for the purposes described in Schedule I of this DPA. |
The relevant data importer or exporter’s signature of this DPA shall be deemed to include its signature to the SCCs.
Description of transfer
Item | Description |
Categories of data subjects whose personal data is transferred | See Schedule I of this DPA |
Categories of personal data transferred | See Schedule I of this DPA |
Sensitive data transferred and restrictions applied | See Schedule I of this DPA |
Frequency of transfer | See Schedule I of this DPA |
Nature of processing | See Schedule I of this DPA |
Purpose of data transfer and further Processing | See Schedule I of this DPA |
Period for which personal data will be retained or, if that is not possible, the criteria used to determine that period | See Schedule I of this DPA |
Subject matter, nature and duration of transfers to sub-processors | See Schedule I of this DPA |
Competent supervisory authority | The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13 of the EU SCCs. |
Technical and organizational measures | See Schedule IV of this DPA |
List of sub-processors | See Schedule I of this DPA |
Schedule III: UK ADDENDUM
Incorporation of UK SCCs. If an international transfer of Personal Data is subject to UK General Data Protection Regulation, then to the extent required by the UK General Data Protection Regulation:
the SCCs shall be incorporated by reference into this DPA, with the modifications and details described in section 3 of Schedule II;
those SCCs shall be supplemented and amended by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued under section 119A(1) of the UK Data Protection Act 2018 (“UK SCCs”), available at the date of this DPA at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf; and
the information requested in Tables 1 to 3 of the UK SCCs shall be deemed completed with the information set out in section 1.4 of Schedule II of this DPA. The information requested in Table 4 of the UK SCCs shall be deemed completed as follows: either the data importer or data exporter may end the UK SCCs.
Existence of adequacy decision. To avoid doubt, the UK SCCs shall not apply to the extent that the international transfer is permitted as a result of an adequacy regulation issued under the UK Data Protection Act 2018.
Schedule IV: Technical and organizational measures to ensure the security of the data
Description of the technical and organizational security measures implemented by the Processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons.
Technical and Organizational Security Measure | Descriptions |
Measures of pseudonymisation and encryption of Personal Data | Aerospike applies pseudonymisation where feasible and encrypts data in transit by Transport Layer Security (TLS 1.2+/1.3) and at rest (AES-128 or equivalent). Further, data transmitted between nodes is also encrypted using TLS. Keys are managed in a centralized KMS and role separation. |
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Aerospike ensures ongoing confidentiality, integrity, availability and resilience through risk-based Information Security Management Systems (ISMS) and controls including role-based access controls (RBAC), Multi-factor authentication (MFA), least-privilege, security information and event management (SIEM) monitoring, vulnerability/patch management, penetration testing, a secure software development life cycle (SDLC), encrypted backups with periodic restore testing, defined RTO (Recovery Time Objective) and RPO (Recovery Point Objective) targets, and independent third party audits. |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Aerospike maintains a Business Continuity and Disaster Recovery (“BCDR”) Plan aligned to ISO/IEC 27001 that defines roles and responsibilities and escalation paths for incidents that affect availability. Aerospike maintains an Incident Response Policy that aligns to ISO/IEC 27001 that covers detection, classification, containment, recovery, evidence preservation and post incident analysis. Incidents are tracked with root-cause and remediation details, and affected customers are notified in a timely manner. BCDR and Incident Response Policy are reviewed and tested on an annual basis. |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | Aerospike maintains a Vulnerability Management Program aligned with ISO/IEC 27001. The program includes continuous and scheduled vulnerability scanning of infrastructure and application components, risk-based vulnerability evaluation and prioritization, tracked remediation and change control, and verification of fixes. Aerospike utilizes trusted third-party tool(s) for static/dynamic and dependency scanning and applies patches or mitigation based on severity. Aerospike also conducts third party independent assurance activities, including SOC 2 Type II and ISO audits and periodic penetration tests, to assess the effectiveness of technical and organisational measures |
Measures for user identification, authorization, and event logging | Aerospike enforces user identification, authorization, and event logging through an ISO/IEC 27001-aligned Access Control Policy and Operations Security Policy. Users are provisioned and deprovisioned via documented onboarding/offboarding processes; access is granted on a least-privilege, RBAC and privileged access is restricted to authorized personnel on an as-needed basis. Strong authentication (MFA) is required for all Aerospike user accounts and remote access. Authentication, authorization and privileged-activity events are recorded, protected and retained for review and audit; alerting and review processes feed documented incident-response workflows for timely investigation and remediation. Periodic access reviews are performed and evidence of approvals, revocations and relevant session logs are retained to support audits and investigations. |
Measures for the protection of data during transmission | Aerospike encrypts data in transit by Transport Layer Security (TLS 1.2+/1.3). Further, data transmitted between nodes is also encrypted using TLS. |
Measures for the protection of data during storage | Aerospike encrypts all Customer Data at rest using industry-standard algorithms (AES-128 or equivalent). |
Measures for ensuring physical security of locations at which personal data are processed | Aerospike uses Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure that maintains industry-leading physical security controls to protect data centers where data is processed. These controls include but not limited to: Restricted access: Data centers are located in secure facilities with strictly limited physical access granted only to authorized personnel. 24/7 monitoring: Facilities are continuously monitored through video surveillance, intrusion detection systems, and on-site security staff. Multi-factor authentication: Physical access requires multiple layers of authentication such as biometric scans, security badges, and PINs. Environmental controls: Data centers employ fire detection and suppression systems, redundant power supplies, and climate controls to ensure data integrity and availability. Independent audits and certifications: All three providers hold recognized certifications such as ISO 27001, SOC 1/2/3, and compliance with standards including GDPR and CSA STAR, confirming adherence to rigorous physical and operational security standards.
|
Measures for ensuring system configuration, including default configuration | System configurations are managed through formally defined configuration management procedures to ensure that all systems are securely and consistently configured prior to deployment and throughout their lifecycle. Default configurations are reviewed and hardened in accordance with organizational security baselines and industry best practices before systems are placed into production. Unnecessary services, accounts, and ports are disabled or removed to reduce potential attack surfaces. Configuration standards are maintained in a centralized repository, and any changes to configurations follow the organization’s formal change management process, including review, approval, and documentation. Regular automated scans and periodic manual reviews are performed to verify that configurations remain compliant with approved security baselines. Deviations or unauthorized changes are detected through continuous monitoring and promptly remediated. |
Measures for internal IT and IT security governance and management | Aerospike maintains an Information Security Program aligned to ISO/IEC 27001. The Information Security Steering Committee (ISSC) governs the program; responsibilities, authorities and accountabilities are documented and measurable metrics are produced and reported to the ISSC and senior management. The program includes a policy lifecycle (creation, review and approval), a documented risk-management process and risk register, and measurable security metrics that are reported to ISSC and senior management. Key policies include Access Control, Operations Security, Incident Response, Vulnerability Management, Business Continuity & Disaster Recovery, Vendor Management and Data Protection, Change Management, and Patch Management. Assurance activities include periodic internal audits, control testing, and tracked remediation of findings. Pre-employment screening is performed in accordance with local law and role-based security training is provided during onboarding and at least annually. Policies, roles, metrics and remediation status are reviewed regularly and reported to ISSC and senior management. |
Measures for certification/assurance of processes and products | Aerospike maintains independent assurance through its ISO 27001 certification and SOC 2 Type II attestation. Copies of the certification and report are available to customers under NDA. Aerospike conducts regular internal audits and tracks all identified findings through a formal remediation process. |
Measures for ensuring data minimisation | Aerospike collects only the data necessary to deliver its products and services to our users. |
Measures for ensuring data quality | Aerospike implements controls to ensure the accuracy, completeness, and reliability of data throughout its lifecycle. Data quality is maintained through defined data handling procedures, access controls, and validation mechanisms. Reviews and checks help identify and correct inaccuracies. Additionally, change management and monitoring processes ensure that data integrity is preserved across systems and environments. |
Measures for allowing data portability, retention, and ensuring erasure | Customers have the ability to read, export or extract their data stored in the database at any time without restriction for purposes of data portability and retention outside the service. Aerospike implements backup retention policies and deletes backups at end-of-retention; upon subscription termination access to the cloud-hosted database ceases and data deletion/return procedures are followed per the agreement.. |
Technical and organizational measures of sub-processors | Aerospike maintains a Vendor Management Policy that requires due diligence, security questionnaire, contract clauses imposing security obligations, and at least annual review of critical vendors and sub-processors. Aerospike maintains the current sub processors list, and will notify customers of material changes per the DPA. |
Data processing agreement (DPA)
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) supplements the Master Services Agreement (the “Agreement”) entered into by and between (i) the customer entity that is a party to the Agreement (“Customer”) and (ii) Aerospike, Inc. (collectively, “Aerospike” or “Company”) (thereinafter, the “Parties”). This DPA incorporates the terms of the Agreement, and any terms not defined in this DPA shall have the meaning set forth in the Agreement. Aerospike may modify the terms of this DPA from time to time. If there is any inconsistency between the terms of this DPA and the Agreement or any other agreement between the Parties relating to the subject matter of this DPA, the terms of this DPA shall prevail.
DEFINITIONS
Adequacy Decision means a European Commission decision determining that a transfer of Personal Data to a specific third country, territory or one or more specified sectors within that third country is secured by an adequate data protection regime in place. As of the effective date of this DPA, the following countries have received an Adequacy Decision from the European Union: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, Uruguay, the United States (commercial organizations participating in the EU-US Data Privacy Framework) and the United Kingdom (UK).
“Company Account Data” means Personal Data that relates to Company’s relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has provided and associated with its account. Company Account Data also includes any data Company may need to collect for the purpose of managing its relationship with Customer, providing maintenance and support, identity verification, or as otherwise required by applicable laws and regulations.
“Company Usage Data” means service usage data collected and Processed by Company in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.
“Customer Data” means any Personal Data processed by Company on behalf of Customer in the course of providing Services or otherwise performing its obligations under the Agreement.
“Data Privacy Legislation” means data protection or privacy laws, regulations, or regulatory requirements, guidance and codes of practice to the extent applicable to the Processing of Personal Data in connection with this DPA, including, without limitation, the California Consumer Privacy Act and the European General Data Protection Regulation and / or UK General Data Protection Regulation as well as the UK Data Protection Act 2018 (together referred to as “GDPR”), each as amended and supplemented, as the case may be, by the relevant EU Member States laws and regulations in which Customer directly or indirectly operates.
“Data Subject Request” means a request from a Data Subject, Consumer, or authorized third party to exercise rights under applicable Data Privacy Legislation.
“Deidentified Data” means data that cannot reasonably be linked to an identified individual or identifiable individual.
“Personal Data Breach” means the actual unauthorized destruction, loss, alteration, disclosure of, use of, or access to Customer Data transmitted, stored, or otherwise Processed, or any other security incident involving Customer Data.
“Services” means the contracted services that form the basis of the Agreement.
“Personal Data” means (a) any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular consumer or household, (b) any information related to an identified or identifiable natural person; or (c) any information that is defined as “personal data” or “personal information” by applicable Data Privacy Legislation.
“Supervisory Authority” means (i) an independent public authority which is established by a Member State pursuant to Article 51 GDPR (e.g., the Data Protection Commission in Ireland) or (ii) the Information Commissioner’s Office (ICO) in the UK.
Others Terms. The terms “Business,” “Consumer,” “Controller,” “Data Subject,” “Joint Controller,” “Process” (and its cognates), “Processor,” “Sell” (and its cognates), “Service Provider,” and “Share” (and its cognates) have the meanings given to them under relevant Data Privacy Legislation.
ROLES OF THE PARTIES; PROCESSING OF DATA
In relation to the Processing of Customer Data, the Parties acknowledge that Customer shall be acting as a Controller or Business (as appropriate), responsible for determining the purposes for which and the manner in which Customer Data is to be Processed, and Company shall be a Processor or Service Provider (as appropriate) under this DPA.
A description of the Processing, including the categories of Customer Data and the purpose for which Customer Data is Processed, can be found in Schedule I to this DPA.
Each Party must comply with all applicable requirements of Data Privacy Legislation when Processing Customer Data under the Agreement, including providing the same level of privacy protection as required of Customer, as applicable, by the Data Privacy Legislation.
Company shall not knowingly do anything or knowingly permit anything to be done that might lead to a breach by Customer of the Data Privacy Legislation.
Customer shall not provide or make available to Company any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Company from all claims and losses in connection therewith. Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the Processing of Personal Data, in compliance with Data Privacy Legislation.
Company shall:
Only Process the Customer Data in accordance with Customer’s documented instructions and directions, including as set forth in this DPA and the Agreement, unless Company is required to Process Customer Data for other purposes under applicable law to which the Company is subject. Where such a requirement is placed on Company, it shall inform Customer unless prohibited by applicable law;
Inform Customer if, in Company’s opinion, instructions given by Customer infringe Data Privacy Legislation prior to implementing such instructions;
Notify Customer after Company makes a determination that it can no longer meet its obligations under this DPA or Data Privacy Legislation;
Process, use, disclose, or retain Customer Data only for the term of the Agreement or as otherwise specified in Schedule I to this DPA, whichever is earlier, and only for the limited and specified business purposes included in Schedule I to this DPA (the “Business Purposes”);
Not: (a) Sell or Share the Customer Data with any third parties; (b) retain, use, or disclose the Customer Data for any commercial purpose other than the Business Purpose, unless expressly permitted by Data Privacy Legislation; (c) retain, use or disclose the Customer Data outside of Company’s direct business relationship with Customer, including by combining or updating the Customer Data with information Company received from another source or that Company collected from its own interactions with Data Subjects or Consumers, unless expressly permitted by Data Privacy Legislation;
Ensure that all persons who have access to Customer Data are subject to a duty of confidentiality. Customer agrees that Company may disclose Personal Data to its advisers, auditors or other third parties as reasonably required in connection with the performance of its obligations under this DPA, the Agreement, or as required by applicable law;
If Customer receives a request from a Data Subject attempting to exercise his or her rights under Data Privacy Legislation; any legally binding request for disclosure of; and/or request for access to Customer Data by a law enforcement authority unless otherwise prohibited under applicable law, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; or any legally binding request, order or inspection activity by a Supervisory Authority or other competent authority relating to Customer Data or privacy protection, promptly notify Customer. Customer is responsible for responding to Data Subject requests;
Cooperate and provide reasonable assistance to Customer to respond to (i) Data Subject Requests under Data Privacy Legislation; and (ii) any inquiry made, investigation, or assessment of Processing initiated by any governmental authority;
Use reasonable endeavors to assist Customer in its own compliance with Data Privacy Legislation, in connection with this DPA, including assisting Customer with data protection impact assessments, where required under Data Privacy Legislation, and as follows where required by Data Privacy Legislation:
Customer shall use reasonable efforts to assist Customer with its obligations to consult the competent Supervisory Authorities prior to Processing where a data protection impact assessment indicates that the Processing would result in a high risk in the absence of measures taken by Company to mitigate the risk. Customer shall be responsible for any costs and expenses arising from any such assistance by Company.
Allow Customer to, upon notice, take reasonable and appropriate steps to stop and remediate Company’s unauthorized use of Customer Data;
Upon termination of its provision of Services, delete in a secure manner or return all Customer Data to Customer and delete any existing copies of the Customer Data, unless retention is required by applicable law or permitted by applicable law. If return or destruction is impossible or prohibited by law, rule or regulation, Company shall take measures to block such Personal Data from any further Processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control; and
Take reasonable measures to ensure that any Deidentified Data Company receives from Customer cannot be associated with a Data Subject or Consumer, publicly commit to maintain and use the Deidentified Data only in deidentified form and not attempt to reidentify the data, not attempt to reidentify any Deidentified Data, except for the purpose of determining whether the deidentification process satisfies applicable Data Privacy Legislation, and contractually obligates recipients of the Deidentified Data to meet these same requirements.
INFORMATION AND AUDITS
Upon Customer’s reasonable request at reasonable intervals, and subject to reasonable confidentiality controls, Company shall either:
Make available to Customer information necessary to demonstrate compliance with this DPA, including copies of certifications or reports demonstrating such compliance; or
Where permitted by applicable Data Privacy Legislation and where the provisions of reports or certifications is not sufficient under applicable Data Privacy Legislation, Company may arrange for a qualified and independent assessor to conduct an assessment of Company’s policies and physical, technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Company shall provide a report of such assessment to Customer upon reasonable request. Such assessment shall only be performed during business hours and occur no more than once per calendar year; and such audit shall be restricted to Customer Data. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Company for any time expended for on-site audits.
Should the assessment show a breach of this DPA or Data Privacy Legislation, including, but not limited to, security or confidentiality requirements, Customer may require Company to immediately remedy this breach.
Where required by Data Privacy Legislation, the Parties shall make the information referred to in this Section 5, including the results of any assessments, available to the competent Supervisory Authority upon request of the Supervisory Authority.
Where required by Data Privacy Legislation, Company agrees to cooperate in good faith with the Supervisory Authority.
USE OF SUB-PROCESSORS
Customer consents to the engagement of the authorized sub-Processors listed in Schedule I.
Customer shall not engage any sub-Processors to Process Customer Data without a prior notice to and opportunity to object for Customer. If Customer reasonably objects, Customer must do so within ten (10) days of being informed of such new sub-Processor and the Parties shall work together in good faith to agree on a reasonable solution, which may include termination of this DPA without penalty. If Customer does not object to the engagement of a new sub-Processor in accordance with Section 4.2 within ten (10) days of notice by Company, that third party will be deemed an authorized Sub-Processor for the purposes of this DPA.
Subject to the consent requirements above, Company may not engage any sub-Processor to Process Customer Data unless: (a) the sub-Processor is subject to a written agreement which imposes on the sub-Processor obligations that are compliant with Data Privacy Legislation and are no less protective than the terms set out in this DPA. At Customer’s reasonable request, Company shall provide a copy of the sub-Processor agreement and any subsequent amendments to Customer. To the extent necessary to protect business secret or other confidential information, including Personal Data, Company may redact the text of the agreement prior to sharing the copy.
Where required by Data Privacy Legislation, Company shall include a third party beneficiary clause with the sub-Processor whereby — in the event Company has factually disappeared, ceased to exist in law or has become insolvent — Customer shall have the right to terminate the sub-Processor contract and to instruct the sub-processor to erase or return the Customer Data.
For the avoidance of doubt, if Company engages a sub-Processor, Company remains liable to Customer for the performance of the sub-Processor’s obligations under Data Privacy Legislation. Company shall notify Customer of any material failure by the sub-Processor to fulfill its contractual obligations.
SECURITY
Company shall implement appropriate technical, physical, and organizational measures, to protect Customer Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access in accordance with Data Privacy Legislation. In assessing the appropriate level of security, the Parties shall take into account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the Data Subjects.
The technical, physical, and organizational measures are documented in Schedule IV.
Company shall, without undue delay following its becoming aware of a Personal Data Breach, notify Customer of such Personal Data Breach and take such steps as Company in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Company’s reasonable control). As part of that notification, Company shall provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its notification obligations under applicable Data Privacy Legislation.
The obligations described in Sections 5.3 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Customer. Company’s obligation to report or respond to a Personal Data Breach under Sections 5.3 will not be construed as an acknowledgement by Company of any fault or liability with respect to the Personal Data Breach.
COMPANY’S ROLE AS A CONTROLLER
The Parties acknowledge and agree that with respect to Company Account Data and Company Usage Data, Company is an independent Controller, not a Joint Controller with Customer. Company will process Company Account Data and Company Usage Data as a Controller (i) to manage the relationship with Customer; (ii) to carry out Company’s core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services, and to prevent harm to Customer; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which Company is subject; and (vi) as otherwise permitted under Data Privacy Legislation and in accordance with this DPA and the Agreement. Company may also Process Company Usage Data as a Controller to provide, optimize, and maintain the Services, to the extent permitted by Data Protection Laws. Any Processing by the Company as a Controller shall be in accordance with the Company’s privacy policy set forth at aerospike.com/forms/privacy-policy.
INTERNATIONAL DATA TRANSFERS
The Parties agree that, to the extent any Customer Data is subject to the GDPR:
Any transfer of Customer Data from Customer to a country outside the European Economic Area and/or the UK without an Adequacy Decision shall be subject to the terms of Schedules II and/or III, as appropriate. For purposes of such Schedule II and/or III, Customer is the data exporter and Company is the data importer. If any of the provisions of Schedule II and/or III are inconsistent with or in conflict with any of the provisions of this DPA then, to the extent of any such inconsistency or conflict, the provisions of Schedule II and/or III shall prevail.
Company shall not transfer Customer Data outside the European Economic Area and/or the UK without: (i) obtaining Customer’s prior written consent and (ii) taking such measures as Customer may reasonably request to ensure that such transfer complies with Data Privacy Legislation, which includes, at Customer’s request, entering into (or procuring that such other persons as Company may reasonably specify enter into) appropriate contractual safeguards to protect such further sharing or transfer.
CERTIFICATION AND VIOLATION RIGHTS
In the event that Company is in breach of its obligations under this DPA, Customer may instruct Company to suspend the Processing of Customer Data until the latter complies with this DPA or the Agreement is terminated.
Customer shall be entitled to terminate the Agreement insofar as it concerns Processing of Customer Data in accordance with this DPA if:
The Processing of Customer Data by Company has been suspended by Customer pursuant to Section 8.1 and if compliance with this DPA is not restored within a reasonable time and in any event within one month following suspension;
Company is in substantial or persistent breach of this DPA or its obligations under Data Privacy Legislation; or
Company fails to comply with a binding decision of a competent court or the competent Supervisory Authorities regarding its obligations pursuant to this DPA or Data Privacy Legislation.
Where required by Data Privacy Legislation, Company shall be entitled to terminate the Agreement insofar as it concerns Processing of Customer Data under this DPA where, after having informed Customer that its instructions infringe applicable legal requirements, Customer insists on compliance with the instructions.
SEVERANCE
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
GOVERNING LAW AND JURISDICTION
The Parties submit to the choice of jurisdiction and governing law stipulated in the Agreement with respect to any disputes or claims arising under this DPA, including disputes regarding its existence, validity, termination or the consequences of its nullity.
Schedule I: Description of Processing
Description | |
Data Subjects Whose Personal Data is Processed | The categories of Data Subject to which Customer’s Personal Data will relate are determined and controlled by the Customer in its sole discretion and may include, but are not limited to, Customer end-users and customers and Customer personnel. |
Personal Data Processed | Company processes Personal Data contained in Company Account Data, Company Usage Data, and any Personal Data provided by Customer (including any Personal Data Customer collects from its end users and processes through its use of the Services) or collected by Company in order to provide the Services or as otherwise set forth in the Agreement or this DPA. Categories of Personal Data are determined and controlled by the Customer in its sole discretion and may include, but are not limited to, name, location, email address, phone number, address, occupation, and title. |
Sensitive Data Processed/Transferred and Related Security Measures | None. |
Nature of the Processing | Company will process Customer’s Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Customer’s instructions as set forth in this DPA. The nature of Processing includes, without limitation: Receiving data, including collection, accessing, retrieval, recording, and data entry Holding data, including storage, organization and structuring Using data, including analysis, consultation, testing, automated decision making and profiling Updating data, including correcting, adaptation, alteration, alignment and combination Protecting data, including restricting, encrypting, and security testing Sharing data, including disclosure, dissemination, allowing access or otherwise making available Returning data to the data exporter or data subject upon request Erasing data, including destruction and deletion |
Purpose of Processing (Business Purposes) | See “Nature of the Processing.” |
Frequency of Transfers (international transfers only) | As necessary to provide perform all obligations and rights with respect to Personal Data as provided in the Agreement or DPA. |
Duration of Processing | Company will Process Customer’s Personal Data as long as required (i) to provide the Services to Customer under the Agreement; (ii) for Company’s legitimate business needs; or (iii) by applicable law or regulation. Company Account Data and Company Usage Data will be Processed and stored as set forth in Company’s privacy policy. |
Retention Period | Customer Data will be retained by the Company for the period required to provide the Service and shall delete or return all Customer Data within [30 days] of the termination of the Agreement and/ or any request of the Company |
List of Sub-Processors |
Name of Authorized Sub-Processor | Address | Description of processing | Country in which sub-processing will take place |
Amazon Web Services (AWS), Inc. | Seattle, WA | Cloud provider Aerospike Cloud is run on AWS infrastructure; customer data is hosted in AWS regions | USA, UK, Singapore |
Datadog, Inc. | New York, NY | Observability and monitoring Collects and analyzes logs, metrics, and traces from Aerospike services for monitoring and incident response | USA |
Auth0 (by Okta) | Bellevue, WA | Identity and authentication Identity and authentication services | USA |
Google Inc. | Email Support | Email and document repository Email support, and document repository | |
PagerDuty | San Francisco, CA | Alert Management On-call and alert management for production incidents and service reliability | USA |
SendGrid/Twilio | Denver, CO | Email service provider (outbound) | USA |
Salesforce, Inc. | San Francisco, CA | Support services |
Schedule II: EU SCCs
This Schedule II applies to the Processing of Personal Data, where Customer is subject to the GDPR (excluding the UK General Data Protection Regulation).
Incorporation of SCCs. Module 2 of the Standard Contractual Clauses for the transfer of Personal Data (“SCCs”, available as of the Effective Date of this DPA at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) are hereby incorporated by reference into this DPA and shall apply to the transfer of Personal Data as described in this Schedule II to the extent required by the GDPR.
Existence of adequacy decision. To avoid doubt, the SCCs shall not apply to the extent that the international transfer is permitted as a result of an Adequacy Decision.
Modifications to modules. The following elections are made in relation to the SCCs:
Clause 7 (docking clause) — not selected.
Clause 9 (use of sub-processors) — Option 2 is selected and the time period shall be 30 days.
Clause 11 (redress) — optional wording is not included.
Clause 17 (governing law) — Option 2 is selected and the applicable governing law shall be the laws of the EU Member State where the data exporter is located.
Clause 18 (choice of forum and jurisdiction) — The applicable governing law shall be the laws of the EU Member State where the data exporter is located.
Details of data processing. The details required by the annexes to the SCCs shall be as follows:
Details of data importer and exporter
Entity name | Role | Contact details | Relevant activities |
Customer | Data exporter | Customer’s contact details given in the Agreement | Entity will export Personal Data to the data importer for the purposes described in Schedule I of this DPA. |
Company | Data importer | Aerospike, Inc. Address: 2440 West El Camino Real Suite 700 Mountain View, CA 94040 Official Registration Number: Delaware: #4731217 Contact person: Amy Lee, CFO legal@aerospike.com | Entity will import Personal Data from the data exporter for the purposes described in Schedule I of this DPA. |
The relevant data importer or exporter’s signature of this DPA shall be deemed to include its signature to the SCCs.
Description of transfer
Item | Description |
Categories of data subjects whose personal data is transferred | See Schedule I of this DPA |
Categories of personal data transferred | See Schedule I of this DPA |
Sensitive data transferred and restrictions applied | See Schedule I of this DPA |
Frequency of transfer | See Schedule I of this DPA |
Nature of processing | See Schedule I of this DPA |
Purpose of data transfer and further Processing | See Schedule I of this DPA |
Period for which personal data will be retained or, if that is not possible, the criteria used to determine that period | See Schedule I of this DPA |
Subject matter, nature and duration of transfers to sub-processors | See Schedule I of this DPA |
Competent supervisory authority | The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13 of the EU SCCs. |
Technical and organizational measures | See Schedule IV of this DPA |
List of sub-processors | See Schedule I of this DPA |
Schedule III: UK ADDENDUM
Incorporation of UK SCCs. If an international transfer of Personal Data is subject to UK General Data Protection Regulation, then to the extent required by the UK General Data Protection Regulation:
the SCCs shall be incorporated by reference into this DPA, with the modifications and details described in section 3 of Schedule II;
those SCCs shall be supplemented and amended by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued under section 119A(1) of the UK Data Protection Act 2018 (“UK SCCs”), available at the date of this DPA at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf; and
the information requested in Tables 1 to 3 of the UK SCCs shall be deemed completed with the information set out in section 1.4 of Schedule II of this DPA. The information requested in Table 4 of the UK SCCs shall be deemed completed as follows: either the data importer or data exporter may end the UK SCCs.
Existence of adequacy decision. To avoid doubt, the UK SCCs shall not apply to the extent that the international transfer is permitted as a result of an adequacy regulation issued under the UK Data Protection Act 2018.
Schedule IV: Technical and organizational measures to ensure the security of the data
Description of the technical and organizational security measures implemented by the Processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons.
Technical and Organizational Security Measure | Descriptions |
Measures of pseudonymisation and encryption of Personal Data | Aerospike applies pseudonymisation where feasible and encrypts data in transit by Transport Layer Security (TLS 1.2+/1.3) and at rest (AES-128 or equivalent). Further, data transmitted between nodes is also encrypted using TLS. Keys are managed in a centralized KMS and role separation. |
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Aerospike ensures ongoing confidentiality, integrity, availability and resilience through risk-based Information Security Management Systems (ISMS) and controls including role-based access controls (RBAC), Multi-factor authentication (MFA), least-privilege, security information and event management (SIEM) monitoring, vulnerability/patch management, penetration testing, a secure software development life cycle (SDLC), encrypted backups with periodic restore testing, defined RTO (Recovery Time Objective) and RPO (Recovery Point Objective) targets, and independent third party audits. |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Aerospike maintains a Business Continuity and Disaster Recovery (“BCDR”) Plan aligned to ISO/IEC 27001 that defines roles and responsibilities and escalation paths for incidents that affect availability. Aerospike maintains an Incident Response Policy that aligns to ISO/IEC 27001 that covers detection, classification, containment, recovery, evidence preservation and post incident analysis. Incidents are tracked with root-cause and remediation details, and affected customers are notified in a timely manner. BCDR and Incident Response Policy are reviewed and tested on an annual basis. |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | Aerospike maintains a Vulnerability Management Program aligned with ISO/IEC 27001. The program includes continuous and scheduled vulnerability scanning of infrastructure and application components, risk-based vulnerability evaluation and prioritization, tracked remediation and change control, and verification of fixes. Aerospike utilizes trusted third-party tool(s) for static/dynamic and dependency scanning and applies patches or mitigation based on severity. Aerospike also conducts third party independent assurance activities, including SOC 2 Type II and ISO audits and periodic penetration tests, to assess the effectiveness of technical and organisational measures |
Measures for user identification, authorization, and event logging | Aerospike enforces user identification, authorization, and event logging through an ISO/IEC 27001-aligned Access Control Policy and Operations Security Policy. Users are provisioned and deprovisioned via documented onboarding/offboarding processes; access is granted on a least-privilege, RBAC and privileged access is restricted to authorized personnel on an as-needed basis. Strong authentication (MFA) is required for all Aerospike user accounts and remote access. Authentication, authorization and privileged-activity events are recorded, protected and retained for review and audit; alerting and review processes feed documented incident-response workflows for timely investigation and remediation. Periodic access reviews are performed and evidence of approvals, revocations and relevant session logs are retained to support audits and investigations. |
Measures for the protection of data during transmission | Aerospike encrypts data in transit by Transport Layer Security (TLS 1.2+/1.3). Further, data transmitted between nodes is also encrypted using TLS. |
Measures for the protection of data during storage | Aerospike encrypts all Customer Data at rest using industry-standard algorithms (AES-128 or equivalent). |
Measures for ensuring physical security of locations at which personal data are processed | Aerospike uses Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure that maintains industry-leading physical security controls to protect data centers where data is processed. These controls include but not limited to: Restricted access: Data centers are located in secure facilities with strictly limited physical access granted only to authorized personnel. 24/7 monitoring: Facilities are continuously monitored through video surveillance, intrusion detection systems, and on-site security staff. Multi-factor authentication: Physical access requires multiple layers of authentication such as biometric scans, security badges, and PINs. Environmental controls: Data centers employ fire detection and suppression systems, redundant power supplies, and climate controls to ensure data integrity and availability. Independent audits and certifications: All three providers hold recognized certifications such as ISO 27001, SOC 1/2/3, and compliance with standards including GDPR and CSA STAR, confirming adherence to rigorous physical and operational security standards.
|
Measures for ensuring system configuration, including default configuration | System configurations are managed through formally defined configuration management procedures to ensure that all systems are securely and consistently configured prior to deployment and throughout their lifecycle. Default configurations are reviewed and hardened in accordance with organizational security baselines and industry best practices before systems are placed into production. Unnecessary services, accounts, and ports are disabled or removed to reduce potential attack surfaces. Configuration standards are maintained in a centralized repository, and any changes to configurations follow the organization’s formal change management process, including review, approval, and documentation. Regular automated scans and periodic manual reviews are performed to verify that configurations remain compliant with approved security baselines. Deviations or unauthorized changes are detected through continuous monitoring and promptly remediated. |
Measures for internal IT and IT security governance and management | Aerospike maintains an Information Security Program aligned to ISO/IEC 27001. The Information Security Steering Committee (ISSC) governs the program; responsibilities, authorities and accountabilities are documented and measurable metrics are produced and reported to the ISSC and senior management. The program includes a policy lifecycle (creation, review and approval), a documented risk-management process and risk register, and measurable security metrics that are reported to ISSC and senior management. Key policies include Access Control, Operations Security, Incident Response, Vulnerability Management, Business Continuity & Disaster Recovery, Vendor Management and Data Protection, Change Management, and Patch Management. Assurance activities include periodic internal audits, control testing, and tracked remediation of findings. Pre-employment screening is performed in accordance with local law and role-based security training is provided during onboarding and at least annually. Policies, roles, metrics and remediation status are reviewed regularly and reported to ISSC and senior management. |
Measures for certification/assurance of processes and products | Aerospike maintains independent assurance through its ISO 27001 certification and SOC 2 Type II attestation. Copies of the certification and report are available to customers under NDA. Aerospike conducts regular internal audits and tracks all identified findings through a formal remediation process. |
Measures for ensuring data minimisation | Aerospike collects only the data necessary to deliver its products and services to our users. |
Measures for ensuring data quality | Aerospike implements controls to ensure the accuracy, completeness, and reliability of data throughout its lifecycle. Data quality is maintained through defined data handling procedures, access controls, and validation mechanisms. Reviews and checks help identify and correct inaccuracies. Additionally, change management and monitoring processes ensure that data integrity is preserved across systems and environments. |
Measures for allowing data portability, retention, and ensuring erasure | Customers have the ability to read, export or extract their data stored in the database at any time without restriction for purposes of data portability and retention outside the service. Aerospike implements backup retention policies and deletes backups at end-of-retention; upon subscription termination access to the cloud-hosted database ceases and data deletion/return procedures are followed per the agreement.. |
Technical and organizational measures of sub-processors | Aerospike maintains a Vendor Management Policy that requires due diligence, security questionnaire, contract clauses imposing security obligations, and at least annual review of critical vendors and sub-processors. Aerospike maintains the current sub processors list, and will notify customers of material changes per the DPA. |